Hey InfoSec, Remember to KISS – By Chris Gebhardt

October was National Cyber Security Awareness Month in the United States. Or, as others are calling it, National Cyber Security Fatigue Month. The sentiment is people are tired of hearing the yells and screams of InfoSec staffers to change passwords, don’t write your passwords down, don’t use USB drives, secure your hard drives, two-factor authentication, and more. So I am directing this article to my fellow Information Security pros, Cyber Security pros, and White Hat Ninjas.

“Keep It Simple, Security.”

The inventor of Keep It Simple Stupid was a genius. He (or she to be fair) created a slogan so easy, so succinct that we continue to use it and be guided by it. Four words that have guided many developments, projects, and the like. And for good reason.

Often times, we try to explain in detail the reasons for an action we’d like users to take. “You need to change your password and use different ones so the criminal element can’t hack a hash, determine your password, and use it to send phishing emails to your associates.” This is too much information. KISS: “Change your password every 90 days.” When people see and hear this message over and over, it is easier to receive into the subconscious.

It has been proven that simple messages are easier to retain. Repetition also enters the equation but complicated messages frequently repeated are known to result in less retention. As an IT Director, I came up with the short and simple CPR acronym for our company: Connectivity, Power, Reboot. It was the first level of self-service for tech support. We posted simple, easy to read signs throughout our buildings. After a while, it caught on because staff would come to us with a problem saying, “I already did CPR.”

Information Security is suffering right now as the hot topic. As such, people get tired of hearing about it. Much like US-based elections. It has turned into Information Overload. Keep It Simple, Security.

Found a USB Drive? Don’t Plug It In. Turn it over to Security.

But what about communicating through email? We can explain ourselves there without burdening people. Nope. Not the case. We are all deluged with emails. Keeping it short in email is also paramount to message receptivity.

So what should we say during Cyber Security Month? Happy Cyber Security Awareness Month? Good Cyber Security Awareness Month? May the odds be ever…. How about just, “Work smart and think before you click.”